We use some shared accounts (Yes I know it's bad, I am not allowed to change it.) Someone using the shared account is deleting data on a remote server so I need to figure out what computer they are using when they delete the file.

We have an Active Directory domain.All PCs run Windows (2000/XP/Win7) and are domain members.

I have turned on auditing and can see the account deleting the file but I don't know of any way to get the computer account as well.

Fron the Article:To recap just for a moment, when Fred logs on at his workstation for thefirst time that day, the domain controller that handles that logon will logevent ID 672, closely followed by an event ID 673 where the ServiceName corresponds to the computer name of Fred’s workstation.

The key statement which seems to get glossed over is "closely followed by". If you have many users authenticating at or near the same time the "closely followed by" is kinda useless.

I can the username and ip from the security log but there is no way to tie them together conclusively.

Ah Active Directories..been ages for me. Can't you just resolve the host name of the machine by pinging the local IP address. I mean, if you have the local IP that should be enough to figure out where it's coming from.

Well at college we have stickers with the computer names on the machines. I believe pinging the local IP with option '-a' was enough to make the host name appear. Then it was really simple to figure out who did what on which machine

Last edited by zeroflaw on Thu Mar 04, 2010 1:11 pm, edited 1 time in total.

Sorry, I don't get it. I thought you meant shared as in multiple people can log in with the same account. So you get the IP from the machine that's used to log in. How would you be able to figure out who's sitting at the machine? I don't think you can, unless you're able to find out who used the machine at a specific time.

You asked how to figure out which machine is being used when they delete the file.

I agree with ZeroFlaw, your orignal question was which computer this was coming from. You now have an IP address and should be able to track it down. Your audting should show when the file is deleted and which machines had logegd in using that username, then do process of elimination

JerichoJones wrote:All this would be fine but I am talking about a shared account.

We used to have shared accounts, but when we started getting viruses (and having to waste time cleaning the boxes), and people surfing porn with them, they didn't last much longer. Prior to that, it was a huge fight with the company about the accounts.

If the scenario is that many different persons use the same user account on a computer, then there should be hardly a possibility to determine which person is at the moment using the account. One solution would be a webcam which is enabled or some sort of spy cam. If you know each person very well you could analyze logs and look for visited websites etc. as you could maybe match it to a certain person.